Welcome to the Eighth Symposium On Usable Privacy and Security! This
year's program features 14 technical papers, one workshop, one tutorial, 14
posters, 13 posters published in the past year at other conferences, a
panel, lightning talks and demo session, and an invited talk. On Thursday
evening SOUPS 2012 attendees will enjoy a dinner at the Microsoft DC
office. This year we received 67 technical paper submissions. The program
committee provided two rounds of reviews. In the first round papers
received an average of three reviews. In the second round, papers that had
received one or more reviews better than "weak reject" in the first round
received additional reviews. The goal of the second round was to ensure
that a consistent standard of acceptance could be applied across all papers
and, to this end, papers received as many as six reviews. We held an
in-person program committee meeting on May 11. Fourteen papers were
selected for presentation and publication.

Mobile privacy and security

In order to direct and build an effective, secure mobile ecosystem, we must
first understand user attitudes toward security and privacy for smartphones and
how they may differ from attitudes toward more traditional computing systems.
What are users' comfort levels in performing different tasks? How do users
select applications? What are their overall perceptions of the platform? This
understanding will help inform the design of more secure smartphones that will
enable users to safely and confidently benefit from the potential and
convenience offered by mobile platforms.
To gain insight into user perceptions of smartphone security and
installation habits, we conduct a user study involving 60 smartphone users.
First, we interview users about their willingness to perform certain tasks on
their smartphones to test the hypothesis that people currently avoid using
their phones due to privacy and security concerns. Second, we analyze why and
how they select applications, which provides information about how users decide
to trust applications. Based on our findings, we present recommendations and
opportunities for services that will help users safely and confidently use
mobile applications and platforms.

Goldilocks and the two mobile devices: going beyond all-or-nothing access to
a device's applications

Most mobile phones and tablets support only two access control device
states: locked and unlocked. We investigated how well all or-nothing device
access control meets the need of users by interviewing 20 participants who had
both a smartphone and tablet. We find all-or-nothing device access control to
be a remarkably poor fit with users' preferences. On both phones and tablets,
participants wanted roughly half their applications to be available even when
their device was locked and half protected by authentication. We also solicited
participants' interest in new access control mechanisms designed specifically
to facilitate device sharing. Fourteen participants out of 20 preferred these
controls to existing security locks alone. Finally, we gauged participants'
interest in using face and voice biometrics to authenticate to their mobile
phone and tablets; participants were surprisingly receptive to biometrics,
given that they were also aware of security and reliability limitations.

Android's permission system is intended to inform users about the risks of
installing applications. When a user installs an application, he or she has the
opportunity to review the application's permission requests and cancel the
installation if the permissions are excessive or objectionable. We examine
whether the Android permission system is effective at warning users. In
particular, we evaluate whether Android users pay attention to, understand, and
act on permission information during installation. We performed two usability
studies: an Internet survey of 308 Android users, and a laboratory study
wherein we interviewed and observed 25 Android users. Study participants
displayed low attention and comprehension rates: both the Internet survey and
laboratory study found that 17% of participants paid attention to permissions
during installation, and only 3% of Internet survey respondents could correctly
answer all three permission comprehension questions. This indicates that
current Android permission warnings do not help most users make correct
security decisions. However, a notable minority of users demonstrated both
awareness of permission warnings and reasonable rates of comprehension. We
present recommendations for improving user attention and comprehension, as well
as identify open challenges.

User perceptions

We report results of 48 semi-structured interviews about online behavioral
advertising (OBA). We investigated non-technical users' attitudes about and
understanding of OBA, using participants' expectations and beliefs to explain
their attitudes. Participants found OBA to be simultaneously useful and privacy
invasive. They were surprised to learn that browsing history is currently used
to tailor advertisements, yet they were aware of contextual targeting.
Our results identify mismatches between participants' mental models and
current approaches for providing users with notice and choice about OBA.
Participants misinterpreted icons intended to notify them about behavioral
targeting and expected that they could turn to their browser or antivirus
software to control OBA. Participants had strong concerns about data
collection, and the majority of participants believed that advertisers collect
personally identifiable information. They also misunderstood the role of
advertising networks, basing their opinions of an advertising network on that
company's non-advertising activities. Participants' attitudes towards OBA were
complex and context-dependent. While many participants felt tailored
advertising could benefit them, existing notice and choice mechanisms are not
effectively reaching users.

Rapid growth in the usage of location-aware mobile phones has enabled
mainstream adoption of location-sharing services (LSS). Integration with
social-networking services (SNS) has further accelerated this trend. To uncover
how these developments have shaped the evolution of LSS usage, we conducted an
online study (N = 362) aimed at understanding the preferences and practices of
LSS users in the US. We found that the main motivations for location sharing
were to connect and coordinate with one's social and professional circles, to
project an interesting image of oneself, and to receive rewards offered for
'checking in.' Respondents overwhelmingly preferred sharing location only upon
explicit action. More than a quarter of the respondents recalled at least one
instance of regret over revealing their location. Our findings suggest that
privacy considerations in LSS are affected due to integration within SNS
platforms and by transformation of location sharing into an interactive
practice that is no longer limited only to finding people based on their
whereabouts. We offer design suggestions, such as delayed disclosure and
conflict detection, to enhance privacy-management capabilities of LSS.

Non-expert computer users regularly need to make security-relevant
decisions; however, these decisions tend not to be particularly good or
sophisticated. Nevertheless, their choices are not random. Where does the
information come from that these non-experts base their decisions upon? We
argue that much of this information comes from stories they hear from other
people. We conducted a survey to ask open- and closed-ended questions about
security stories people hear from others. We found that most people have
learned lessons from stories about security incidents informally from family
and friends. These stories impact the way people think about security, and
their subsequent behavior when making security-relevant decisions. In addition,
many people retell these stories to others, indicating that a single story has
the potential to influence multiple people. Understanding how non-experts learn
from stories, and what kinds of stories they learn from, can help us figure out
new methods for helping these people make better security decisions.

Users tend to create passwords that are easy to guess, while system-assigned
passwords tend to be hard to remember. Passphrases, space-delimited sets of
natural language words, have been suggested as both secure and usable for
decades. In a 1,476-participant online study, we explored the usability of 3-
and 4-word system-assigned passphrases in comparison to system-assigned
passwords composed of 5 to 6 random characters, and 8-character system-assigned
pronounceable passwords. Contrary to expectations, system-assigned passphrases
performed similarly to system-assigned passwords of similar entropy across the
usability metrics we examined. Passphrases and passwords were forgotten at
similar rates, led to similar levels of user difficulty and annoyance, and were
both written down by a majority of participants. However, passphrases took
significantly longer for participants to enter, and appear to require
error-correction to counteract entry mistakes. Passphrase usability did not
seem to increase when we shrunk the dictionary from which words were chosen,
reduced the number of words in a passphrase, or allowed users to change the
order of words.

Text-based password systems are the authentication mechanism most commonly
used on computer systems. Graphical passwords have recently been proposed
because the pictorial-superiority effect suggests that people have better
memory for images. The most widely advocated graphical password systems are
based on recognition rather than recall. This approach is favored because
recognition is a more effective manner of retrieval than recall, exhibiting
greater accuracy and longevity of material. However, schemes such as these
combine both the use of graphical images and the use of recognition as a
retrieval mechanism. This paper reports on a study that sought to address this
confound by exploring the recognition of text as a novel means of
authentication. We hypothesized that there would be significant differences
between text recognition and text recall conditions. Our study, however, showed
that the conditions were comparable; we found no significant difference in
memorability. Furthermore, text recognition required more time to authenticate
successfully.

Online social networks

We measure users' attitudes toward interpersonal privacy concerns on
Facebook and measure users' strategies for reconciling their concerns with
their desire to share content online. To do this, we recruited 260 Facebook
users to install a Facebook application that surveyed their privacy concerns,
their friend network compositions, the sensitivity of posted content, and their
privacy-preserving strategies. By asking participants targeted questions about
people randomly selected from their friend network and posts shared on their
profiles, we were able to quantify the extent to which users trust their
"friends" and the likelihood that their content was being viewed by unintended
audiences. We found that while strangers are the most concerning audience,
almost 95% of our participants had taken steps to mitigate those concerns. At
the same time, we observed that 16.5% of participants had at least one post
that they were uncomfortable sharing with a specific friend -- someone who
likely already had the ability to view it -- and that 37% raised more general
concerns with sharing their content with friends. We conclude that the current
privacy controls allow users to effectively manage the outsider threat, but
that they are unsuitable for mitigating concerns over the insider threat --
members of the friend network who dynamically become inappropriate audiences
based on the context of a post.

Are privacy concerns a turn-off?: engagement and privacy in social networks

We describe survey results from a representative sample of 1,075 U. S.
social network users who use Facebook as their primary network. Our results
show a strong association between low engagement and privacy concern.
Specifically, users who report concerns around sharing control, comprehension
of sharing practices or general Facebook privacy concern, also report
consistently less time spent as well as less (self-reported) posting,
commenting and "Like"ing of content. The limited evidence of other significant
differences between engaged users and others suggests that privacy-related
concerns may be an important gate to engagement. Indeed, privacy concern and
network size are the only malleable attributes that we find to have significant
association with engagement. We manually categorize the privacy concerns
finding that many are nonspecific and not associated with negative personal
experiences. Finally, we identify some education and utility issues associated
with low social network activity, suggesting avenues for increasing engagement
amongst current users.

Several billion Facebook messages are sent every day. While there are many
solutions to email security whose usability has been extensively studied,
little work has been done in the area of message security for Facebook and even
less on the usability aspects in this area. To evaluate the need for such a
mechanism, we conducted a screening study with 514 participants, which showed a
clear desire to protect private messages on Facebook. We therefore proceeded to
analyse the usability of existing approaches and extracted key design decisions
for further evaluation. Based on this analysis, we conducted a laboratory study
with 96 participants to analyse different usability aspects and requirements of
a Facebook message encryption mechanism. Two key findings of our study are that
automatic key management and key recovery capabilities are important features
for such a mechanism. Following on from these studies, we designed and
implemented a usable service-based encryption mechanism for Facebook
conversations. In a final study with 15 participants, we analysed the usability
of our solution. All participants were capable of successfully encrypting their
Facebook conversations without error when using our service, and the mechanism
was perceived as usable and useful. The results of our work suggest that in the
context of the social web, new security/usability trade-offs can be explored to
protect users more effectively.

Access control

Users are sharing and consuming enormous amounts of information through
online social network interaction every day. Yet, many users struggle to
control what they share to their overlapping social spheres. Google+ introduces
circles, a mechanism that enables users to group friends and use these groups
to control their social network feeds and posts. We present the results of a
qualitative interview study on the sharing perceptions and behavior of 27
Google+ users. These results indicate that many users have a clear
understanding of circles, using them to target information to those most
interested in it. Yet, despite these positive perceptions, there is only
moderate use of circles to control information flow. We explore reasons and
risks associated with these behaviors and provide insight on the impact and
open questions of this privacy mechanism.

Users' mental models of privacy and visibility in social networks often
involve subgroups within their local networks of friends. Many social
networking sites have begun building interfaces to support grouping, like
Facebook's lists and "Smart Lists," and Google+'s "Circles." However, existing
policy comprehension tools, such as Facebook's Audience View, are not aligned
with this mental model. In this paper, we introduce PViz, an interface and
system that corresponds more directly with how users model groups and privacy
policies applied to their networks. PViz allows the user to understand the
visibility of her profile according to automatically-constructed, natural
sub-groupings of friends, and at different levels of granularity. Because the
user must be able to identify and distinguish automatically-constructed groups,
we also address the important sub-problem of producing effective group labels.
We conducted an extensive user study comparing PViz to current policy
comprehension tools (Facebook's Audience View and Custom Settings page). Our
study revealed that PViz was comparable to Audience View for simple tasks, and
provided a significant improvement for complex, group-based tasks, despite
requiring users to adapt to a new tool. Utilizing feedback from the user study,
we further iterated on our design, constructing PViz 2.0, and conducted a
follow-up study to evaluate our refinements.

Usability is widely recognized as a problem in the context of the
administration of access control systems. We seek to relate the notion of
declarative semantics, a recurring theme in research in access control, with
usability. We adopt the concrete context of POSIX ACLs and the traditional
interface for it that comprises two utilities getfacl and setfacl whose natural
semantics is operational. We have designed and implemented an alternate
interface that we call askfacl whose natural semantics is declarative. We
discuss our design of askfacl. We then discuss a human-subject usability study
that we have designed and conducted that compares the two interfaces. Our
results measurably demonstrate the goodness of declarative semantics in access
control.